Aug 26 2020 06:55 AM
I'd like to create a query to review creation of new services so as to find unique ones in my environment, but I'm not finding a way to do it. Ideally I'd also like to automatically provide some analysis on any binaries launched by those services (e.g. prevalence information in the wild and VT score) - could someone point me in the right direction?
Sep 07 2020 01:22 PM
This should get you started
DeviceEvents
| where ActionType == 'ServiceInstalled'
If I find the time , I'll look into the 2nd topic you mentioned.